multena-rbac-collector

command module

v0.1.7 Latest Latest Go to latest Published: Nov 23, 2023 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gepaplexx/multena-rbac-collector

Links

Open Source Insights

README ¶

Multena RBAC Collector

License

multena-rbac-collector is a Go program designed to retrieve all cluster/-roles, role bindings, and cluster role bindings from a Kubernetes cluster and process them for integration with multena-proxy. This enables multena-proxy to make informed authorization decisions based on the fetched RBAC data.

Installation

go get github.com/gepaplexx/multena-rbac-collector

Key Features

Two Modes:
- Run: One-time collection of RBAC data.
- Serve: Continuous collection of RBAC data, leveraging Kubernetes watch API.
ConfigMap Storage: Use the --cmName and --cmNamespace flags to specify a ConfigMap in the cluster to store the RBAC data.
Local Output: In the run mode, the YAML is also outputted as a local file.

Usage

multena-rbac-collector [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  run         Collects RBAC permissions and stores them in a ConfigMap
  serve       Starts continuous RBAC collection

Flags:
      --cmName string        in-cluster name of the ConfigMap to store the RBAC data
      --cmNamespace string   cluster namespace of the ConfigMap to store the RBAC data
      --config string        config file (default is $HOME/.multena-rbac-collector.yaml)
  -h, --help                 help for multena-rbac-collector
      --kubeconfig string    path to the kubeconfig file (default is $HOME/.kube/config for local development)
  -t, --toggle               Help message for toggle

Serve mode

graph TD

    %% Definitions
    Serve["Serve()"]
    Watch["Watch()"]
    watchResources["watchResources(resourceType)"]
    Signal[Signal]

    %% Serve function logic
    Serve --> |go| Watch
    Serve --> |HTTP invoke| Signal

    %% Watch function logic
    Watch --> |go| watchResources
    Watch --> UpdateConfigmapLoop

    %% Watch Resources Logic
    subgraph WatchResourceLoop["Watch Resources Loop"]
        watchResources --> |List| ListResources["List Resource"]
        ListResources --> WatchEvent[Watch Resources & Handle Events]
        WatchEvent --> AddResource["Add Resource"]
        WatchEvent --> ModifyResource["Modify Resource"]
        WatchEvent --> DeleteResource["Delete Resource"]
    end

    %% Connecting Watch Events to Signal
    AddResource --> Signal
    ModifyResource --> Signal
    DeleteResource --> Signal

    %% Processing Signal Logic
    subgraph UpdateConfigmapLoop["Update Configmap Loop"]
        ProcessSignal["Process Signal"]
        ProcessSignal --> DrainSignal["Drain Signal"]
        ProcessSignal --> CheckEquality["Check Maps Equality"]
        CheckEquality --> WriteConfigmap["Write Configmap"]
    end

    Signal --> ProcessSignal

Permissions for `multena-rbac-collector`

To run the multena-rbac-collector, you need to grant it the following permissions in your Kubernetes cluster:

RBAC Authorization

RoleBindings:
- API Group: rbac.authorization.k8s.io
- Resources: rolebindings
- Verbs: get, list, watch
ClusterRoleBindings:
- API Group: rbac.authorization.k8s.io
- Resources: clusterrolebindings
- Verbs: get, list, watch
Roles:
- API Group: rbac.authorization.k8s.io
- Resources: roles
- Verbs: get, list, watch
ClusterRoles:
- API Group: rbac.authorization.k8s.io
- Resources: clusterroles
- Verbs: get, list, watch

Core Resources

ConfigMaps:
- API Group: ""
- Resources: configmaps
- Verbs: get, create, update

Please ensure that these permissions are correctly set before deploying the multena-rbac-collector to your Kubernetes environment.

You can find a sample clusterrole binding for these permissions at this link.

Deploying via Helm chart

the multena-rbac-collector can be deployed via the gp-multena Helm chart. Desciption how to deploy Multena can be found here.

To deploy the rbac-collector using the gp-multena Helm chart, ensure you set the following values:

rbac-collector:
  enabled: true

the helm chart can be found here.

Implementation Details

The package server provides the functionalities of serving endpoints /healthz for checking health and /invoke to manually trigger the RBAC data collection.

For continuously watching the RBAC changes in the Kubernetes cluster, the program leverages Kubernetes watch API. Upon detection of any changes, the RBAC data is processed, compared, and stored in the specified ConfigMap.